Cascade writes code autonomously, runs commands, and connects to external tools. Agent Keeper intercepts every action — with the most comprehensive enforcement of any AI coding IDE.
No credit card required · Free tier forever · One command setup
Cascade actions — all covered
| Action | Hook | Status |
|---|---|---|
| Shell commands | pre_run_command | Blocked |
| File writesIDE-unique | pre_write_code | Blocked |
| File reads | pre_read_code | Blocked |
| MCP tool calls | pre_mcp_tool_use | Blocked |
| User prompts | pre_user_prompt | Blocked |
Windsurf has the most comprehensive hook system of any AI coding IDE. Agent Keeper leverages every pre-hook to block threats before they execute.
That's what makes it powerful. It's also what makes it a security surface.
Cascade can
Autonomous code generation needs guardrails. Agent Keeper provides them.
Cascade can write any file in your project autonomously. Without pre-write enforcement, secrets end up committed, reverse shells get saved to disk, and config files get corrupted — all before you notice.
Cascade runs terminal commands, reads source files, and calls MCP tools on your behalf. Without hooks, you have no audit trail — just a git diff after the fact.
Cascade reads files and processes their content as context. Malicious instructions embedded in source files, configs, or dependencies can redirect the agent's behavior.
Most IDEs only let you audit after the fact. Windsurf's hook system gives Agent Keeper the ability to block before anything happens.
pre_write_codeAgent Keeper scans the file content Cascade is about to write. Reverse shells in bash scripts, API keys hardcoded in configs, malicious npm install hooks — all caught and blocked before the file ever touches disk.
pre_user_promptCascade reads your files and feeds them as context. Malicious instructions embedded in source code, package.json scripts, or even markdown docs can hijack the agent. pre_user_prompt intercepts this before Cascade acts.
exit code 2Windsurf's hook system uses exit code 2 as a reliable blocking signal. Agent Keeper returns exit code 2 to halt any action outright — no partial writes, no partial command execution. Clean and deterministic.
Four steps from install to full coverage.
Run the Agent Keeper installer with the Windsurf target. Hooks are registered in Cascade's lifecycle — no manual config required.
bash <(curl -fsSL https://www.agentkeeper.dev/install-hooks.sh) --ide windsurfAgent Keeper registers on every Windsurf pre-hook — covering prompts, file reads, file writes, shell commands, and MCP calls.
pre_run_commandShell commands
pre_write_codeFile writes
pre_read_codeFile reads
pre_mcp_tool_useMCP tool calls
pre_user_promptUser prompts
Behavioral detection tuned for zero false positives on normal development. Dangerous actions are stopped with exit code 2 before they execute.
When a hook blocks an action, Cascade receives a descriptive error message — and the event is logged to your Agent Keeper dashboard with full context.
97%
Compliance
18
Developers
89
Threats Blocked
2.4k
File Writes Scanned
Every feature designed to give you control without slowing your developers down.
Unique to Windsurf: scan file content before it's written to disk. Catches secrets, malicious scripts, and dangerous patterns in generated code before they become a problem.
pre_user_prompt hook scans every prompt before Cascade processes it. Catches social engineering, jailbreaks, and embedded instructions in file content that Cascade reads as context.
Allow, warn, or block specific MCP tool calls per org. Control which external integrations Cascade can invoke and log every call to your audit trail.
pre_run_command intercepts every terminal command before execution. Prevent rm -rf, curl | bash, and other dangerous patterns from running autonomously.
Every prompt, file write, shell command, and MCP call logged with timestamps, session context, and user identity. Full forensic trail for incident response.
Windsurf version, hooks active, threats blocked — per developer. One view for your entire Cascade fleet's security posture.
Windsurf's hook system is the most comprehensive. Agent Keeper makes full use of every capability.
| Capability | Cursor | Windsurf + Agent Keeper |
|---|---|---|
| Shell command blocking | ||
| File write blocking (pre-write)unique to Windsurf | ||
| File read blocking | ||
| MCP tool call blocking | ||
| Prompt injection blocking | ||
| Fleet compliance dashboard | ||
| Complete audit trail | ||
| Custom org policies | ||
| 30+ threat patterns |
Windsurf's hook system uses exit codes for blocking — it cannot inject warning context back to the Cascade agent. In warn mode, detections are logged to your dashboard but Cascade is not notified of the detection. Block mode (exit code 2) is fully effective and stops the action outright.
Start free — no credit card required. Scale when you need to.
For individual developers
Need enterprise features? Contact us for enterprise pricing